Systemic vs Systematic thinking

I have been reflecting on the distinction between Systemic thinking and Systematic thinking as part of a course I am currently studying and wanted to share my thoughts in the context of cyber security within a digital organisation. My motives for writing this blog post are to help me clarify in my mind how these two types of thinking differ, and how they may work together, as well as to help stimulate discussion.

According to Ray Ison, Systemic thinking means “understanding things systemically [by putting] them into a context, to establish the nature of their context” (Ison, Ray, Systems Practice: How to Act — In situations of uncertainty and complexity in a climate-change world, Spring, 2017, p24). Therefore, I believe it is a cognitive tool that allows us to understand the interdependencies between various parts of a system when viewed collectively. We may not understand all the relationships or know how to describe them, but we view them as part of a larger system.

When thinking systemically in the context of an organisation, we understand that cyber security consists of many different parts all related in some way to act protectively or adversarially within the organisation. Systemic thinking allows us to view cyber security as part of the whole organisation without the need to construct the individual components that affect the security of an organisation. For example, we may consider cyber security as a threat, or we may consider it a benefit, and use those perceptions to define a strategy.

Systematic thinking is different, because it “usually takes place in a linear, step-by-step manner” (Ison, Ray, Systems Practice: How to Act — In situations of uncertainty and complexity in a climate-change world, Spring, 2017, p24) that allows us to examine the relationships between the elements of the whole system. The example here is breaking down cyber security into an analysis of the various security components such as threats, threat actors, security tooling, vulnerabilities, and security weaknesses. The process involves understanding the relationships between these components and helping us understand how each component can protect or even be used against an organisation.

Using two approaches together is important. There is no preference of one over the other, because they are both useful tools in the systems thinking toolbox. However, they have different purposes. Systemic thinking allows us to frame a collection of relationships through a cognitive lens to give us a contextual understanding, while systematic thinking allows us to frame each component in a more structured way.

As stated at the top of this blog post, I am open to other thoughts on the difference between systemic and systematic thinking, especially in the domain of cyber security in a digital organisation. If you have any suggestions, please feel free to comment.